passing artibrary strings into a database

Discussion in 'Python' started by schwehr@gmail.com, Nov 27, 2005.

Guest

Hi All,

I was wondering if there is a helper library out there that will nicely
encode artibrary text so that I can put in into a TEXT field in a
database and then retrieve it without getting into trouble with ',",new
lines or other such things that would foul the sql insert call and or
be a security hazard? This feels like a newbee type question, but I
haven't found anything with a quick search.

Advertisements

wrote:
> I was wondering if there is a helper library out there that will nicely
> encode artibrary text so that I can put in into a TEXT field in a
> database and then retrieve it without getting into trouble with ',",new
> lines or other such things that would foul the sql insert call and or
> be a security hazard?

don't ever use string formatting to add values to an SQL statement.
the right way to pass variables to the database engine is to use para-
meters (aka bound variables):

Advertisements

wrote:
> Hi All,
>
> I was wondering if there is a helper library out there that will nicely
> encode artibrary text so that I can put in into a TEXT field in a
> database and then retrieve it without getting into trouble with ',",new
> lines or other such things that would foul the sql insert call and or
> be a security hazard? This feels like a newbee type question, but I
> haven't found anything with a quick search.

Use paramtetrized cursor.execute(..) That is instead of doing

c.execute("insert into foo values ('%s')" % mytext)

do

c.execute("insert into foo values (?)", mytext)

Attention, the actual style of a parameter is dependand on your
database, e.g. oracle uses a differnet one:

Share This Page

Welcome to The Coding Forums!

Welcome to the Coding Forums, the place to chat about anything related to programming and coding languages.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to ask questions about coding or chat with the community and help others.
Sign up now!